On the afternoon of November 30th, vehicles were parked at a Coupang depot in Jung-gu, Seoul. Coupang announced that it has confirmed the number of customer accounts with leaked personal information is 33.7 million. Reporter Choi Hyun-soo [email protected].
The Personal Information Protection Commission (PIPC) announced on the 3rd that it decided to have Coupang clearly renotify the incident as a “personal information leak.” Coupang had previously maintained that this incident was an “exposure” rather than a “leak.”
On this day, the PIPC held its 25th general meeting and decided to change Coupang’s previous announcement from “exposure” to “leak” and to include all leaked items in the renotification. Coupang had adhered to the term “exposure” from the beginning of the incident to downplay the damage, but CEO Park Dae-joon of Coupang attended an emergency inquiry at the National Assembly and apologized, saying, “It was not meant to evade responsibility for using the term ‘exposure.’ It was a lack of thought.”
Coupang is not properly informing affected customers about the incident. The company only had an apology posted on its website for 1-2 days. Furthermore, while providing guidance about the incident, it omitted some leaked items such as shared entrance passwords. The PIPC stated, “We confirmed that Coupang is causing confusion among the public.”
To alleviate public confusion, the PIPC decided that Coupang must more thoroughly carry out guidance measures for affected customers. In addition to renotifying the personal information leak, Coupang must take additional steps, including posting the leak details on the homepage or via pop-ups for an extended period, actively guiding users on how to prevent further damage, verifying the effectiveness of prevention measures, strengthening monitoring, and expanding the dedicated response team.
Coupang must submit the results of these measures to the PIPC within seven days. Although the PIPC’s resolutions don’t have legal force, it is known that companies involved in issues have complied with the PIPC’s decisions. The PIPC stated, “If Coupang’s violations of the Personal Information Protection Act are confirmed, we plan to impose strict sanctions and do our utmost to prevent the spread of damage and recurrence.”